Hi Peter,
In my opinion static option is non-necessary if you don't have  DHCP snooping 
database. Actually I tried it with and without it and received the same 
results, namely
I had an ARP ACL with three IP to MAC mappings and referenced it in the ARP 
inspection statement.

arp access-list ARP-ACL
 permit ip host 10.0.0.1 mac host 0023.ebd5.f31f log
 permit ip host 10.0.0.100 mac host 000c.2944.79f0 log
 permit ip host 10.0.0.254 mac host 0023.3448.0e47 log

ip arp inspection vlan 100
ip arp inspection filter R1-ARP-ACL vlan  100 static

My note: it's not enough to have just "ip arp inspection filter ARP-ACL vlan 
100" statement. You have to enable "ip arp inspection vlan 100" globally. 
Without it there's no ARP inspection at all.

The switch would say:

SW2#sh ip arp inspec

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled
No active or enabled vlans on switch

Eugene


From: Peter Jørgensen <[email protected]<mailto:[email protected]>>
Date: Friday, August 24, 2012 4:55 AM
To: 
"[email protected]<mailto:[email protected]>" 
<[email protected]<mailto:[email protected]>>
Subject: [OSL | CCIE_Security] DHCP Snooping in NON-DHCP Enviroment



Hi CCIE candidates



In a non-DHCP enviroment we should skip all the DHCP snooping config part 
because we have no DHCP snooping database. Then the arp inspection config 
should look like this:


arp access-list ARP-LIST
permit ip host 10.10.10.10 mac host 1111.2222.3333 (allow non-dhcp client)
!
ip arp inspection filter ARP-LIST vlan 10 static (only validate against the ARP 
ACL)*


* There is another option for the DAI filter and that is "static". If we 
applied this argument to the command, DAI would only check the ARP ACL and not 
fallback to the DHCP snooping database.


My question is:

Should we use the "static" keyword when we use arp inspection in non-dhcp 
enviroment? I think not....because we have no snooping database to fallback to. 
I think the static keyword

is only neeed in a mixed enviroment - i.e. an enviroment with both DHCP hosts 
and static assigned hosts and with DHCP  snooping and DAI enabled. Please 
correct me if my understanding is wrong....




Peter Jørgensen
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to